none
Why are all DCOM and COM+ objects grey on Windows Server 2008 R2 Enterprise Sp1

    Pertanyaan

  • DCOM + COM + services are running, but when accessing DCOM objects using Dcomcnfg tool none of the ojbects are accessible for editing.  All objects listed under Component Services are grey, even My Computer.  This was not like this when server was built. 

    Just to make sure I wasn't imaging this, I installed another server from scratch and examined DCOM on this new build and all objects listed under Component Services are fully acccessible for editing.

    Was there a security patch released some time after Sp1 casuing this issue?  The only changes that are every made to this server and a dbase server that I am supporting are security patches.  No other changes are being introduced to this server Web Server (SharePoint) and SQL 2008 R2 Server other than patching.  This issue is like this on both servers, which was not like this last year.

    Could this be an ACL issue on files & registry?

    02 Maret 2012 18:14

Semua Balasan

  • Yes I have seen this article; however, that does not answer the question.  All Dcom & COM+ objects are like this where as this was not like this until recently.  What changed?  What exactly locking these down like this and why?
    06 Maret 2012 13:28
  • Almost forgot... speaking of which I went thru all the hives giving the local Adminstrators group full access to see if this unlocks all objects.  That is ungreying DCOM & COM+ ojbects back to their original colors, but had not.  Also, if this security feature was intended to be good, then why is it that Windows 7 is not locked down as such?  Could that be, because it causes issues with applications which would be an adminstration nightmare.... especially for those home users who are not savy?

    Regards,

    DWords

     

    Network+, MCP,  MCSA, MCSE ( 2000, 2003, 2008), MCTS, MCITP (2008 MCEA)

    Senior Network Engineer
    • Diedit oleh Dwords 06 Maret 2012 13:38
    • Disarankan sebagai Jawaban oleh cccastillo 08 Februari 2013 13:19
    06 Maret 2012 13:36
  • Hi,

    Due to security consideration, some system core components only grant Trusted Installer full control permission instead of Administrators. And it’s same for both Windows server 2008 R2 and Windows 7. For the grey issue, it can happen if current user not has proper permission for the component. If you need to change the settings, find the Application ID, and edit the permission located at the register editor HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{xxxxxx}. We must take the ownership first, and give the Administrator full control. After make the required changes, please change the owner back to Trusted Installer.


    Best Regards,
    Aiden


    Aiden Cao

    TechNet Community Support

    07 Maret 2012 3:08
    Moderator
  • Let me start off with thanking you for replying, but I am well aware of the Trusted Installer and full control permission of this identity.  I am also aware of that Administrators group has read only permission.  I am also aware of having to take ownership of the registery key before being able to add an account and setting proper permissions; however, it appears that no one understands the question.  Therefore, before I continue with a statement let me point out that I am the Administrator of these two Servers and have Full Control permission of the entire Server, such as I have full control of my Desktop. 

    Furthermore, yes both Windows 7 and Windows 2008 R2 have this same ACL setting in the registry - Trusted Installer having full control permission whereas the Administrators group has Read only.  Needless to say, DCOM & COM + objects on Windows 7 are not greyed out whereas Windows 2008 R2 they are.  Windows 7 has no DCOM issues, Windows 2008 R2 does in mulitiples areas.  This was not like that until Security patches being applied to system sometime during the beginning of the year.

    Now you should not have to read between the lines.  Now for the question... --> Why?  This is an issue on Windows 2008 R2 and is causing numerous DCOM erros which will cause constant bandaids to be applied which is not a resolution and is only a workaround that will not be a permanent solution.

    Can someone explain why?  And Why are all the objects greyed out when I am the Administrator of the entire system?

    Credentials may not mean much here, but I know and understand what is going on is not normal..... Please do enlighten me!

    Network+, MCP,  MCSA, MCSE ( 2000, 2003, 2008), MCTS, MCITP (2008 MCEA)

    Senior Network Engineer


    • Diedit oleh Dwords 07 Maret 2012 13:24
    07 Maret 2012 13:15
  • Hi,

    Thank you for your question.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.


    Best Regards,
    Aiden


    Aiden Cao

    TechNet Community Support

    08 Maret 2012 7:10
    Moderator
  • Hi,

    Please try to backup and delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole", and import it from another working server.

    Thanks.


    “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.”

    08 Maret 2012 14:31
  • Hello Kevin,

    Not a doable option for me!  The other server I support has same issue.  I also checked with another department who are supporting thousands of servers have the same issue.  What is causing this?

    13 Maret 2012 19:30
  • Would you please arrange a affected server for test? Copy "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole" keys from a new built server to this test server. Or you can check any difference between them. i think you have deployed some ACL such as "LegacyImpersonationLeve" or "LegacyImpersonationLevel". 

    Thanks.


    “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.”

    24 Maret 2012 3:49
  • Hi,

    i am just following up to check if you are still working on this issue.

    thanks.


    “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.”

    05 April 2012 8:26
  • Hello Kevin,

    Would had responded sooner, but went on vacation and returned back this week.

    At the moment I don't have a test server for performing this task.  Second of all, no ACL have been deployed other than applying Microsoft Monthly Security Patches.

    And yes issue still exist.  Any other sugestion?

    05 April 2012 17:20